Concerning to a support from an SP for a limited IDP, if an IDP used by a user, i.e., an IDP to which the user attaches (such as IDP A), is not in the coverage which is supported by the current SP (such as SP1), the user authentication can not be completed; the authentication of the user can be completed only when the user is registered by using the IDPs (such as IDP B, C and D) which are supported by the SP, or when the user accesses an SP (such as SP2) which supports the IDP used by the user and provides similar services. This is inconsistent with the object of the IDM. However, it seems that it is impossible to unify the IDPs because of the respective benefit of the IDPs which are used currently.
IDM refers to administrating a life cycle (usage process) of a user identity and a relationship between the user identity and network application services, based on the network and related support technologies. For example, the IDM performs authentication or authorization for a user who accesses applications and resources, and the like. Currently, IDM systems are still located in a vertical structure and independent of each other, and most of these IDM systems are established for particular application services, wherein interconnection and intercommunication cannot be achieved between various IDM systems, and the sharing of user information (such as user's trust information, and authentication trust) cannot be achieved between various IDM systems.
Interoperation refers to the capability of performing mutual cooperation between various independent IDM systems and performing operations such as exchange and communication of valid information (such as user's trust information) and the like. The interoperation is established generally on the basis of mutual trust between IDM systems. The trust relationship establishment relationship between the current IDM systems is generally a one to one trust establishment, the trust relationship is generally static, and generally the IDM systems who have a trust relationship with each other is only within one trust domain (or in one union). The trust relationship establishment of cross trust domains (unions) and the trust relationship establishment based on trust chains (trust paths) can make the trust relationship of the current IDM systems expand to a lager scope, so that the trust relationship establishment is more dynamic, flexible and convenient.
Currently, an SP authentication mode which is primarily studied on are the mode based on invariable IDP, wherein if an IDP used by a user is not in the trust coverage of the SP, the user sometimes needs to log on different IDPs many times to obtain the service of a certain SP, which brings inconvenience to practical applications.